Interlibrary Loan Resources

The Ontario Library Service (OLS) has prepared a Privacy Impact Assessment (PIA) reviewing where personal information might be collected, used, retained, disclosed, secured, or disposed in the new Interlibrary Loan Software, Resource Sharing for Groups (RS4G). While some personal information about library patrons is collected, we have concluded that the collection of this information is permitted under MFFIPA, that the information is protected by both security practices and use policies, and that the privacy risks are minimal. This is based on the following analysis:

1. Personal information belonging to patrons may be used by library staff as part of the ILL process, and depending on what information the individual libraries choose to include in their requests, may include patron name, library card barcodes, phone numbers, and email addresses. A record of what the patron has borrowed is also created. In general, this information complies with section 32 of MFFIPA, in which disclosure of personal information is permitted if it is collected and used for the purpose for which it was collected, or in this case, for a consistent purpose i.e. to sign out and return a public library book (R.S.O. 1990, c. M.56, s. 31).
2. Any patron information collected in the ILL system is secured and properly disposed of in the following ways:
   1. 1. Access to sensitive data is protected through secure HTTP (HTTPS) Transport Layer Security encryption. AES-256 is used to encrypt data at rest. All data is backed up digitally each day, encrypted and maintained securely on purpose-built storage arrays with offsite replication encrypted and maintained securely on purpose-built storage arrays; and
      2. Sensitive data is governed by OCLC’s own privacy and security requirements including the above data security, data audit procedures, the nondisclosure policy for internal data, prohibitions on types of information collected (e.g. sensitive personal or financial information is not collected), and procedures for unauthorized disclosures; and
      3. The personal information on ILL requests is accessible only to the borrowing library staff (or requesting patron, for self-service requests), and is not visible to the lending library; and
      4. Patron information is displayed on printed print book stickers/branded book straps, which are attached to a borrowed book, so that libraries can sort requests by patron, and patrons can identify their loan for pick up. However, a borrowing library can elect not to include patron data on book straps; and
      5. Libraries may choose to print full- or half-page request information printouts to keep track of requests. Printouts will contain whatever patron information is associated with the request. These are optional printouts and are not required to complete a transaction. Libraries who choose to print them are encouraged to keep these printouts in a secure location; and
      6. Personal data is not used in any statistical reports or other data collections; and
      7. Personal data attached to a completed request will be purged every six months, which is a shorter period than is required under Section 5, Regulation 823 of MFFIPA (R.R.O. 1990, Reg. 823.).
3. The OLS may need to collect business information on library locations, and the library staff who work in interlibrary loan, so that we can create contact information for them in the system. Libraries may also choose to use a generic, non-individualized ILL staff email as a point of contact. However, according to MFIPPA, Section 2(2) “personal information does not include the name, title, contact information or designation of an individual that identifies the individual in a business, professional or official capacity. 2006, c. 34, Sched. C, s. 13 (3).”. Therefore, while we collect this information, it is not a privacy concern. 
4. There are options for libraries to limit the collection of personal information in the following ways, if they so choose:
   
   1. 1. Using NCIP Technology: Libraries that would like to ensure greater privacy protections can choose to implement NCIP, if their ILS system offers this functionality. NCIP (NISO Circulation Interchange Protocol, also known as Z39.83) is a North American standard which allows disparate library systems to talk to each other (for example the library's management system and ILL system). When using NCIP, patron’s personal information remains in the library’s ILS system, and is not used or duplicated in the interlibrary loan system. The only data transmitted to the ILL system during an NCIP transaction is a “User Identifier”, which could be an ID for the patron entered by staff when they created the request (e.g., a patron barcode) or an ID for the user who submitted the request in User Portal. 
         We believe NCIP is the most secure and reliable way to eliminate any privacy concerns associated with interlibrary loan. The OLS and OCLC are committed to assisting libraries in implementing NCIP in the coming years, and expanding the list of supported ILS systems that can be connected to Resource Sharing for Groups via NCIP. While NCIP integration is provided at no charge by OCLC, libraries will have to investigate whether there is a charge by their own ILS system.
      2. Outside of NCIP Technology – For libraries who do not have the option to use NCIP, there are still options to restrict the personal information entered in the ILL system. Each library can decide what information is required in patron request forms, and can limit this to only patron ID number/library card number if desired. When requests are received/returned, library staff can look up patron contact information in their own Integrated Library System (ILS) using the library card number. The library would then manually contact the patron via telephone or email. Similarly, library staff can choose to submit requests manually into the ILL system and can thus limit patron information collection as they choose.

The OLS is confident that all personal information collected, used and/or retained by Resource Sharing for Groups falls under the “consistent use” provision in section 31 of MFIPPA, and that appropriate technical and policy decisions are in place to ensure that the data is secured and disposed of in a satisfactory manner. OLS will continue to work with libraries to implement NCIP wherever it is feasible, and thus limit personal information from the system as much as possible.